Method for verifying the authenticity of a product

ABSTRACT

In order to verify the authenticity of a product associated with a host device, the product contains, in segments of a non-volatile memory, several different functions stored in ciphered fashion. The host device sends a control signal for selecting and activating one of those ciphered functions. The product then deciphers and executes the function. The result of the function execution is then communicated back to host device when a decision on product authenticity is made.

PRIORITY

This application claims the priority benefit of French PatentApplication number 1355728, filed on Jun. 18, 2013, the contents ofwhich is hereby incorporated by reference in its entirety to the maximumcontent allowable by law.

TECHNICAL FIELD

The present disclosure generally relates to electronic circuits and,more specifically, to a method for verifying the authenticity or theorigin of a product (an accessory or a consumable) intended to cooperatewith a device.

BACKGROUND

In many fields, it is desired to guarantee that a product, for example,an ink cartridge, a battery, an accessory, etc., to be used in a device,is an original or authentic product, that is, a product approved by thedevice manufacturer. To achieve this, an authentication key is generallystored in an electronic circuit associated with this product and isused, when the product is installed in the device or when it shouldcooperate therewith, to verify that the product is authentic.

However, if the secret can be discovered and a manufacturercommercializes products which are not approved by the devicemanufacturer, but are however equipped with circuits having the rightkey, the devices will consider these products as authentic.

SUMMARY

An embodiment aims at a technique for verifying the authenticity of aproduct, which overcomes all or part of the disadvantages of existingsolutions.

Another embodiment aims at a solution which enables to block the use ofbatches of non-authentic products without for all this preventing theuse of authentic products of same generation.

To achieve all or part of these and other objects, the presentdisclosure provides a method for verifying the authenticity of a productassociated with a host device, wherein the product contains, in segmentsof a non-volatile memory, several different functions stored in cipheredfashion, comprising the following successive steps: the host devicesends a control signal for activating one of said functions; the productdeciphers said function; the product executes the deciphered function;and the product sends a result of this execution to the host device.

According to an embodiment, a key for deciphering the segment containingthe function is contained in the activation control signal sent by thehost device.

According to an embodiment, the host device verifies the result toauthenticate the product.

According to an embodiment, the deciphered function is stored in avolatile memory only.

According to an embodiment, the method is implemented once per product.

According to an embodiment, the method is implemented on each use of theproduct by the device.

According to an embodiment, the host device contains one functionidentifier only.

According to an embodiment, said segments are stored on manufacturing ofthe product.

According to an embodiment, different versions of devices activatedifferent functions of a same type of products.

According to an embodiment, a system comprising at least one host deviceand at least one product associated with this host device, adapted tothe above method, is also provided.

According to an embodiment, the devices are printers and the productsare ink cartridges.

The foregoing and other features and advantages will be discussed indetail in the following non-limiting description of specific embodimentsin connection with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 very schematically shows in the form of blocks an example of asystem of the type to which the present disclosure applies as anexample;

FIG. 2 illustrates an example of storage on the side of the product tobe authenticated;

FIG. 3 very schematically illustrates an embodiment of the method ofauthentication of a product by a device; and

FIG. 4 illustrates, in the form of blocks, an example of stepsimplemented by a product.

DETAILED DESCRIPTION OF THE DRAWINGS

The same elements have been designated with the same reference numeralsin the different drawings. For clarity, only those steps and elementswhich are useful to the understanding of the embodiments which will bedescribed have been shown and will be detailed. In particular, thecryptographic ciphering and deciphering processes capable of being usedin data exchanges between a device and its accessories or consumableshave not been detailed, the described embodiments being compatible withusual processes.

FIG. 1 very schematically shows, in the form of blocks, an example of asystem of the type to which the embodiments which will be describedapply.

A host device 1 is capable of receiving or of operating with one orseveral products 2, accessories (ACC), or consumables (CONS).

As a specific example of application, the host device is a printer andthe product (consumable) is an ink cartridge. According to anotherexample, it is an electronic system (for example, a game console, a cellphone, etc.) using accessories (for example, game pads, earphones, ahull, a case, etc.). More generally, it may be any type of system basedon the cooperation between a main device and one or several accessoriesor consumables.

Although reference will be made hereafter to the example of a printerand of its ink cartridges, all that will be described transposes, unlessotherwise mentioned, to the other systems.

Printer manufacturers are generally looking for a protection against theuse of counterfeit or non-authentic cartridges in order, among otherthings, to guarantee the quality and the reliability of the originalcartridges with respect to copies or “clones” for their users. Anotherobject is to avoid possible counterfeiting. Reference will be madehereafter to copies to designate non-authentic products, be they slavishimitations or more generally similar products capable of being used toreplace authentic products.

The protection generally comprises a mechanism of authentication of anew cartridge introduced into the printer, or even an authentication oneach powering-on of the printer, on each leaving of the stand-by mode,or on each printing (on each use of the product). The printer and eachcartridge are equipped with an electronic circuit adapted to such anauthentication, for example, a cryptographic processor or a programexecuted by a generic processor. Keys are present on the printer sideand on the cartridge side.

For example, as illustrated in FIG. 1, printer 1 comprises amicrocontroller-type circuit 12 (μC) capable of communicating over oneor several address, control, and data buses 13, with one or severalmemories 14, one or several peripherals 15 (PER), for example, thevarious circuits of the printer, and one or several input-outputcircuits 16 (E/S), among which a device capable of communicating withcartridges 2.

An ink cartridge 2 comprises at least one secure circuit 22 for example,of microcontroller type, comprising the same type of components (notshown): a processor, volatile and non-volatile memories, an input-outputinterface towards a bus of communication with the printer, etc.

Generally, at the manufacturing, an authentication key formed of a dataword is stored in a secure memory of circuit 22. When the cartridge ispaired up with the printer, the latter starts an authenticationprocedure based on this key. To be recognized, all cartridges compatiblewith a given printer should have a key enabling to authenticate itselfwith this printer, possibly originating from a key derivation mechanism.

Such a mechanism becomes inefficient if the key of a series ofcartridges is discovered. In such a case, copies are capable of beingmanufactured with an authentication method using the right key and theprinter will be unable to discriminate them from the originalcartridges.

A current solution for printer manufacturers is to change the printermodel to change the cartridge type. Indeed, it cannot be envisaged toprogram a new key in a new batch of printers and to change the cartridgekey, since printers already in circulation could then no longer operatewith the new cartridges.

Actually, it becomes impossible to revoke a key shared between a printerand a cartridge type, the only solution being to forbid printers alreadyin circulation to use the new cartridges. This would then force theseprinters to only use copies, which is precisely what is desired to beavoided.

According to the present disclosure, it is provided to store in cipheredfashion, in a memory of the circuit associated with the cartridges,several segments of one or several instructions capable of being used bya processor of the cartridge, each segment being ciphered with adifferent key. The stored instructions are selected to execute adifferent function from one segment or sub-program to another. Further,the storage is made in the form of opcodes and of operands directlyinterpretable by the cartridge processor. The keys for encrypting thesegments are unknown by the cartridge. They are not stored therein.

FIG. 2 illustrates an embodiment of such a method. A memory 23 of securecircuit 22 of a cartridge comprises several instruction segments 231(CSEG1, CSEG2, . . . , CSEGn). Each segment contains at least one opcodeand, possibly, all or part of the arguments (operands) of the functionto be executed. Each segment may contain several opcodes according tothe function that it represents. Certain opcodes may be present indifferent segments (for example, data reading), provided for the segmentfunction to be different.

FIG. 3 illustrates an embodiment of the method for verifying theauthenticity of a cartridge.

On introduction of a new cartridge (PRODUCT), the printer (HOST) detectsit and sends an activation control signal to the cartridge (ACT). Thecontrol signal contains an identifier of a segment 231 (SEGi) to bedecoded as well as the corresponding deciphering key (KEYi). Accordingto the mode of ciphering of the used exchanges, part of the key may becontained in the cartridge, or a key for ciphering the exchanges iscontained in the cartridge and is used for the transfer of decipheringkey KEYi of the segment.

The cartridge (its microprocessor) uses the key transmitted by theprinter to decipher the identified segment. Then, the codes of thissegment are stored in non-ciphered fashion (STORE UNCIPHERED OPCODES) ina memory (25, FIG. 2) or in an area of memory 23, accessible byprocessor 26 (PROC) of circuit 22, so that function FCTi contained inthe deciphered segment can be executed (EXEC FCTi).

Once the function has been executed by the microprocessor, one orseveral results (RESULT) are sent by the cartridge to the printer toverify the authenticity.

The printer then verifies whether the result is in accordance with whatit expects and determines whether the cartridge is authentic or not(OK/NOK). The procedure in the case of a non-authentic cartridge isusual (printer blocking, error message, etc.).

FIG. 4 illustrates, in the form of blocks, an example of stepsimplemented by a cartridge during the authentication process.

The cartridge starts by receiving (block 41, RECEIVE ACT) an activationcontrol signal sent by the printer.

As indicated hereabove, the electronic circuit of the cartridgedeciphers (block 42, DECIPHER(CSEGi)) the memory segment correspondingto the identifier sent by the printer. This identifier is, for example,the beginning address of the segment in memory 23 or the address rangeof the segment in this memory. As a variation, the cartridge contains alook-up table linking the identifiers (for example, numbers) of thesegments to their addresses in memory 23.

Function FCTi contained in the segment is, once deciphered, stored innon-ciphered fashion (block 43, STORE FCTi), for example, in memory 25.Memory 25 is not necessarily a non-volatile memory. It may indeed beprovided for the function not to be a permanent function added for thenew printer version, but only a function used to verify the authenticityon installing of the cartridge or on each initialization (starting orleaving of the printer stand-by mode). In this case, it is not necessaryto store the function in a non-volatile memory, the printer sending anactivation control signal causing the deciphering of segment CSEGi everytime. An advantage of only storing FCTi in a volatile memory is thatthis further complicate the pirate's task.

Once the function has been deciphered, it is executed (block 44, EXECFCTi(D)) by the cartridge circuit. According to the nature of thefunction, said function uses or not an operand D provided by theprinter. The nature of the function may be purely for control purposes(arithmetic operation, for example) or to exploit information of thecartridge or of the printer. FIG. 4 illustrates three arbitrary examplesof functions having their respective results expected by printerssending the corresponding activation control signals: a first functionFCT1 sum up two data D1 and D2 (block 451, ADD(D1, D2)), data D1 and D2being for example, for one of them, contained in the activation controlsignal and, for the other, contained in segment CSEG1; a second functionFCT2 multiplies two data D1 and D2 (block 452, MULT(D1, D2)); an n-thfunction FCTn checks the cartridge ink level (block 45 n, CHECK LEVEL).The cartridge sends the result of the function to the printer (block 46,SEND RESULT), which validates or invalidates this result and allows ornot the operation. Whatever the function, the printer knows either theresult of an operation that it expects, or the nature of the informationto be communicated thereto by the cartridge.

According to a first aspect, the activation control signal is sent eachtime an authentication is needed. It can be considered that theactivation control signal includes the execution control signal. Thesegment is then deciphered each time it should be used. In this case, astorage in a non-volatile memory of the deciphered segment is notnecessary since the corresponding function is only used once on eachdeciphering.

According to a second aspect, the function is, in a first phase,deciphered at the cartridge installation (once per product) and is thenstored in non-ciphered fashion in the non-volatile memory of thecartridge. The printer may, in a second phase, implement anauthentication procedure, for example, on each leaving of the stand-bymode or on each printing, by sending a control signal for executing thefunction (possibly, with different arguments from one time to theother).

According to an alternative embodiment, the segments also contain a keycapable of being used by the cartridge to then cipher its exchanges withthe printer. Such a ciphering is usual per se.

On design of a cartridge type, the printer manufacturer selects a numbern of functions FCT to be integrated in ciphered fashion in the cartridgememory. The higher this number, the more it then has the possibility ofblocking successive versions of non-authentic cartridges, but the morespace this takes in the non-volatile memory of the cartridge. Indeed,the cartridge contains all the ciphered segments as soon as it iscreated.

Then, for each printer version compatible with this type of cartridge,the manufacturer has the choice of the function to be activated.Preferably, a given printer only has in memory a control signal foractivating a given segment CSEGi. As a variation, the identifier of thenew segment may be communicated thereto during a software update.

If the printer manufacturer desires, for a new printer version, torevoke a key used by cartridges currently in circulation, the parametersthis new printer version so that it activates a new segment on thecartridges. All authentic cartridges will keep on operating and beingcompatible with the new version.

However, even if a manufacturer of non-authentic cartridges succeeds inreproducing the key of one of the segments on his own cartridges from apiracy of cartridges in circulation, this will only enable the copies tooperate on printers of the version using the corresponding function.Copies will not function on the new printer version, which uses anothersegment. Thus, non-authentic cartridges, adapted to the first series,will only be adapted to the first printer version. This considerablycomplicates the task of the pirate manufacturer.

Thus, a manufacturer which finds out the existence of copies mayparameterize the new printers so that they activate a different segmentof cartridges in circulation. The new printer versions, while beingcompatible with the same type of cartridges, will wait for a differentresult of the authentication procedure. Accordingly,already-manufactured non-authentic cartridges will not work with newprinters.

Further, the provided mechanism is compatible with an optional update ofprinters already in circulation, for example, during softwaremodifications. Thus, for printers capable of being updated, for example,from an internet connection via a computer or directly, the manufacturercan cause the segment change.

Assuming that the memory of the authentication circuit of a cartridge istotally pirated, all the ciphered segments are then present innon-authentic circuits. The segments may even be decoded since the keyreceived by the printer will be usable by the copy. However, chances areslight for the program, once decoded, to operate and execute thefunction having its result expected by the printer. Indeed,non-authentic circuits reproduce the mechanisms of protected exchangewith the printer by pirating the encryption algorithms and the keys.However, they do not use the same processor cores as the originalproducts. Accordingly, the deciphered functions will be impossible toexecute on the processor of the non-authentic circuit.

Exchanges between the printer and the cartridge may be secured in usualfashion (for example, a symmetrical or asymmetrical ciphering based onkeys contained in the cartridge and in the printer, provided for thesekeys to be different in the ciphering keys of segments 231). However,even with the deciphering key of a segment, a non-authentic cartridgewill not operate, unless it has exactly the same microcontroller andexploitation system, which strongly limits risks.

Various embodiments have been described, various alterations andmodifications will occur to those skilled in the art. In particular, theselection of the number of segments to be stored in the products(accessories or consumables) depends on the application and on thesecurity level desired in terms of possible depth of change. Further,the selection of the authentication mechanisms also depends on theapplication. Further, the practical implementation of the describedembodiments is within the abilities of those skilled in the art based onthe functional indications given hereabove and by using encryption andprogramming tools usual per se.

Such alterations, modifications, and improvements are intended to bepart of this disclosure, and are intended to be within the spirit andthe scope of the present invention. Accordingly, the foregoingdescription is by way of example only and is not intended to belimiting. The present invention is limited only as defined in thefollowing claims and the equivalents thereto.

What is claimed is:
 1. A method for verifying the authenticity of aproduct associated with a host device, wherein the product contains, insegments of a non-volatile memory, several different functions stored inciphered fashion, comprising the following successive steps: the hostdevice sends a control signal for activating one of said functions; theproduct deciphers this function; the product executes the decipheredfunction; and the product sends a result of this execution to the hostdevice.
 2. The method of claim 1, wherein a key for deciphering thesegment containing the function is contained in the activation controlsignal sent by the host device.
 3. The method of claim 1, wherein thehost device verifies the result to authenticate the product.
 4. Themethod of claim 1, wherein the deciphered function is stored in avolatile memory only.
 5. The method of claim 1, implemented once perproduct.
 6. The method of claim 1, implemented on each use of theproduct by the device.
 7. The method of claim 1, wherein the host devicecontains one function identifier only.
 8. The method of claim 1, whereinsaid segments are stored on manufacturing of the product.
 9. The methodof claim 1, wherein different versions of devices activate differentfunctions of a same type of products.
 10. A system, comprising: at leastone host device; and at least one product associated with this hostdevice; wherein the host device is configured to send a control signalfor activating a function of the product; and wherein the product isconfigured to: decipher the function; execute the deciphered function;and send a result of this execution to the host device.
 11. The systemof claim 10, wherein the device is a printer and the product is an inkcartridge.
 12. A method, comprising: sending by a first device to asecond device of a control signal for selecting one of a plurality offunctions stored in ciphered fashion; deciphering by the second deviceof the selected function; executing by the second device of thedeciphered function; and sending by the second device to the firstdevice of a result of the execution, said result indicative of whetherthe second device is an authentic device for use with the first device.13. The method of claim 12, wherein the control signal includes a keyfor deciphering the selected function; wherein deciphering comprisesusing by the second device of the key from the control signal todecipher the selected function.
 14. The method of claim 12, furthercomprising verifying by the first device verifies of the sent result toauthenticate the second device for use with the first device.